The Hacker News — Cyber Security, Hacking, Technology News

In an attempt to protect Android users from malware and shady apps, Google has been continuously working to detect and remove malicious apps from your devices using its newly launched Google Play Protect service.

Google Play Protect—a security feature that uses machine learning and app usage analysis to check devices for potentially harmful apps—recently helped Google researchers to identify a new deceptive family of Android spyware that was stealing a whole lot of information on users.

Discovered on targeted devices in African countries, Tizi is a fully-featured Android backdoor with rooting capabilities that installs spyware apps on victims' devices to steal sensitive data from popular social media apps like Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

"The Google Play Protect security team discovered this family in September 2017 when device scans found an app with rooting capabilities that exploited old vulnerabilities," Google said in a blog post. "The team used this app to find more applications in the Tizi family, the oldest of which is from October 2015."

Most Tizi-infected apps are being advertised on social media websites and 3rd-party app stores, tricking users into installing them.

Once installed, the innocent looking app gains root access of the infected device to install spyware, which then first contacts its command-and-control servers by sending an SMS text message with the GPS coordinates of the infected device to a specific number.

If the backdoor unable to take root access on the infected device due to all the listed vulnerabilities being patched, "it will still attempt to perform some actions through the high level of permissions it asks the user to grant to it, mainly around reading and sending SMS messages and monitoring, redirecting, and preventing outgoing phone calls, " Google said.

Tizi spyware also been designed to communicate with its command-and-control servers over regular HTTPS or using MQTT messaging protocol to receive commands from the attackers and uploading stolen data.

The Tizi backdoor contains various capabilities common to commercial spyware, such as

Stealing data from popular social media platforms including Facebook, Twitter, WhatsApp, Viber, Skype, LinkedIn, and Telegram.

Security researchers at Google have discovered a new family of deceptive Android spyware that can steal a whole lot of information on users, including text messages, emails, voice calls, photos, location data, and other files, and spy on them.

Dubbed Lipizzan, the Android spyware appears to be developed by Equus Technologies, an Israeli startup that Google referred to as a 'cyber arms' seller in a blog post published Wednesday.

With the help of Google Play Protect, the Android security team has found Lipizzan spyware on at least 20 apps in Play Store, which infected fewer than 100 Android smartphones in total.

Google has quickly blocked and removed all of those Lipizzan apps and the developers from its Android ecosystem, and Google Play Protect has notified all affected victims.

For those unaware, Google Play Protect is part of the Google Play Store app and uses machine learning and app usage analysis to weed out the dangerous and malicious apps.

Lipizzan: Sophisticated Multi-Stage Spyware

According to the Google, Lipizzan is a sophisticated multi-stage spyware tool that gains full access to a target Android device in two steps.

In the first stage, attackers distribute Lipizzan by typically impersonating it as an innocuous-looking legitimate app such as "Backup" or "Cleaner" through various Android app stores, including the official Play store.

Once installed, Lipizzan automatically downloads the second stage, which is a "license verification" to survey the infected device to ensure the device is unable to detect the second stage.

After completing the verification, the second stage malware would root the infected device with known Android exploits. Once rooted, the spyware starts exfiltrating device data and sending it back to a remote Command and Control server controlled by the attackers.

There's very few information about Equus Technologies (which is believed to have been behind Lipizzan) available on the Internet. The description of the company's LinkedIn account reads:

"Equus Technologies is a privately held company specialising in the development of tailor made innovative solutions for law enforcement, intelligence agencies, and national security organisations."

Earlier this year, Google found and blocked a dangerous Android spyware, called Chrysaor, allegedly developed by NSO Group, which was being used in targeted attacks against activists and journalists in Israel, Georgia, Turkey, Mexico, the UAE and other countries.

NSO Group Technologies is the same Israeli surveillance firm that built the Pegasus iOS spyware initially detected in targeted attacks against human rights activists in the United Arab Emirates (UAE) last year.

How to Protect your Android device from Hackers?

Android users are strongly recommended to follow these simple steps in order to protect themselves:

In order to keep its billions of users safe, Google has introduced another security defense for its Android devices, called Google Play Protect.

Google Play Protect, which is part of the Google Play Store app, uses machine learning and app usage analysis to weed out the dangerous and malicious apps, which have always been albatross around the tech giant's neck.

Since Google Play Protect actually comes with the Google Play Store, users do not need to install or activate this security feature separately.

Google Play Protect for Android devices consists:

App scanning

Anti-Theft Measures

Browser Protection

Play Protect's App Scanning Feature

Google Play Protect is an always-on service on devices which said to scan 50 billion apps each day across a billion Android devices to ensure they are safe.

Google already has a number of security measures in place to help keep your smartphones safe, including Verify Apps and its Bouncer service, but once apps are uploaded to the Play Store and installed on your device, Google does not have anything in place to monitor the behavior of those apps – something that most malware apps were abusing.

Running automatically in the background, Google Play Protect is actually built into devices, which will not only analyse apps before appearing on the Play Store, but also monitor them once installed on the device, including apps that have been installed from third-party stores as well.

For this, Google makes use of machine learning algorithms that automatically compares app behavior and distinguishes those acting abnormally, and if encounters any malicious app, it warns you or even disables the app to prevent further harm.

Google says it works around the clock to keep up with the latest threats

Google says the new machine learning system regularly updates to help Android ecosystem stay one step ahead of any potential threats by always looking out for "new risks, identifying potentially harmful apps and keeping them off your device or removing them."

Play Protect's Anti-Theft Measures

With the introduction of Google Play Protect, Android Device Manager has been replaced with Find My Device, use to locate lost and misplaced devices.

You can use the browser or any other device to remotely call, locate, and lock, your Android device or even erase the data to protect sensitive information remotely.

Find My Device is the same old solution, but Google included it into the Google Play Protect program.

Play Protect's Browser Protection

With Safe Browsing feature in Chrome, Play Protect lets users stay safe while browsing the Internet.

Usually, virus, malware and worm land on to your smartphones and computers via malicious web browsers. So, if you visit any website that is acting suspicious, Safe Browsing feature will warn you and block websites that feel sketchy or seems to be unsafe for you.

Google Play Protect service will be rolling out to Android devices over the coming weeks.